Privacy Policy

1. Data controller

The data controller for personal data is Flowly, based in France.

For any privacy-related question, reach us at support@myflowly.co.

2. Data we collect

We only collect what's necessary for the service to work:

• Account data: email address, first name or alias, Apple Sign-In identifier (if you use "Sign in with Apple").
• Habit data: goals, habits you create, completion history, streaks.
• Onboarding data: declared emotional state, past experience with routines, daily available time, preferred progression style, support preference.
• Subscription data: subscription status, transaction identifiers (Apple App Store, Google Play). We never receive your payment card number.
• Technical data: push notification token, language and theme preferences, device model and OS version (for diagnostics).
• Usage data: interactions with the app (screens opened, actions), timestamps, to improve the product.

3. How we collect this data

• Directly: when you create an account, complete onboarding, or use the app.
• Via Apple Sign-In: if you choose this sign-in method, we receive an anonymous identifier and, depending on your choice, your email (real or Apple relay).
• Automatically: non-identifying technical information (device type, system language) while you use the app.

4. Why we process this data

• To provide and maintain the Flowly service.
• To generate your personalized routines via AI.
• To send the notifications you've enabled.
• To understand aggregated app usage and improve the product.
• To handle support requests.
• To manage subscriptions and payments (via Apple and Google).

5. Legal basis (GDPR)

• Performance of a contract: to provide the service you subscribed to.
• Consent: for push notifications and sensitive data (emotional state).
• Legitimate interest: to improve the service and prevent abuse.
• Legal obligation: to retain transaction records.

6. Third-party services and processors

Flowly relies on carefully selected third-party services. Each applies its own privacy policies:

• Supabase (database and authentication) — https://supabase.com/privacy
• OpenAI (AI-generated habits; prompts are not used to train consumer models) — https://openai.com/privacy
• Apple (Sign in with Apple, StoreKit) — https://www.apple.com/legal/privacy/
• Expo (builds, push notifications) — https://expo.dev/privacy

7. Data retention

Your data is retained as long as your account is active.

If you delete your account, all personally identifiable data is deleted within 30 days. Some anonymized data may be retained for statistical purposes, and some transaction records may be retained to meet our legal obligations (accounting, tax).

8. International transfers

Your data is hosted by Supabase on servers located in the European Union and/or the United States. Non-EU transfers are covered by Standard Contractual Clauses (SCCs) as required by the GDPR.

9. Your rights (GDPR — EU users)

If you reside in the European Union, you have the following rights:

• Access to your personal data.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten").
• Portability of your data in a structured format.
• Restriction of processing.
• Objection to processing based on legitimate interest.
• Withdrawal of consent at any time.
• Lodging a complaint with a supervisory authority (in France: CNIL — https://www.cnil.fr).

To exercise your rights, email us at support@myflowly.co. We respond within 30 days.

10. Your rights (CCPA/CPRA — California residents)

If you reside in California, you additionally have the following rights:

• Right to know what personal data is collected and how it's used.
• Right to delete your personal data.
• Right to correct inaccurate data.
• Right to opt out of the sale or sharing of your data (Flowly does not sell or share your data for advertising purposes).
• Right to non-discrimination for exercising these rights.

11. Sensitive data

Some information you provide (emotional state, wellness goals) may be considered sensitive. It's used solely to personalize your routines. It's never shared with third parties for commercial purposes and is not used to train public AI models. Processing relies on your explicit consent, which you can withdraw at any time by deleting your account.

12. Minors

Flowly is not intended for users under 16. We do not knowingly collect data from minors under 16. If you believe a minor has provided us with data, contact us at support@myflowly.co for deletion.

13. Push notifications

If you enable notifications, we store an opaque token provided by Apple or Google to deliver the reminders you've configured. This token doesn't allow us to identify you personally. You can disable notifications any time in your device settings or in the app.

14. Security

All communication between the app and our servers is encrypted via HTTPS (TLS). Data is stored securely with Supabase (Row Level Security enabled). On iOS, sensitive local information is stored via SecureStore (Keychain). No system is bulletproof, but we follow recognized industry standards.

15. Changes to this policy

We may update this policy to reflect product or legal changes. For material changes, we'll notify you by email or via an in-app notice before the changes take effect.

16. Contact us

For any question, rights request, or complaint, email us at support@myflowly.co. We aim to respond within 30 days.